We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Italy – new rules on cookies and internet profiling!

After a long public consultation process, the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) finally issued its decision on the “simplified information notice and cookie consent” (“Cookie Decision”).

With the Cookie Decision, the Garante clarifies the distinction between technical and profiling cookies. To sum up:

Technical cookies are cookies required for providing “electronic communications or information society services”; in other words, all cookies required to ensure the running of the site. To this broad category, the Garante associates also the analytic cookies placed by the publisher or the manager the site (editore o gestore del sito), provided that the only aggregated data are processed, as well as the functionality cookies to improve the service provided to the users (e.g. language preferences).

Behavioral or profiling cookies are all cookies that allow a profiling of the user, so as to propose to the same user more tailored advertising. While no prior consent is provided for technical cookies, behavioral cookies require a specific and express consent.

The Garante further clarifies the distinction between first and third party cookies, defining as first party cookies all cookies placed by the publisher or the manager of the site, whereas all third party cookies are simply those cookies that are not placed by third parties. In this respect, the Garante acknowledged that the first parties may well not be aware of the existence of third parties placing cookies through the same first parties’ site. Consequently, in gathering the consent also for third parties’ cookies, the first parties are considered as mere “technical intermediary” (intermediari tecnici) – an interesting new concept for Data Protection, recognizing how Internet (and behavioral advertising) is de facto populated by a large number of arbitrators.

As for the new rules set out by the Cookie Decision, all sites with cookies will now have to provide for a two layer information notice, with a first summarized notice including a link to a second and more complete notice.

The first simplified notice is set through a banner to be placed in the homepage and to be devised in a way to create some “discontinuity” with the usage of the site contents. The banner will also contain some basic information, including a mention of any placing of behavioral or third parties cookies, a link to the extended information notice, the mention that it is possible to deny consent, and the indication that the continuation of the usage of the site will imply a cookie acceptance. This last point is very relevant, as such consent will have to be provided through “a positive action”, i.e. by removing banner through a click or continuing to read other underlying active pages. It will not be possible to simply ignore the banner. The publisher or manager of the site will then have to keep track of such consent through a (technical!) cookie.

As stated above, the simplified information notice will link to the more complete information notice, which will include more analytical information, including all information required by the laws. Such notice will include also the links to the third parties’ information notices, or other intermediary parties. It should also be specifically mentioned the possibility to object against the usage of cookies also through the browser settings.

As also discussed in our previous posts, the Garante had to operate within a legal framework based on consent. It clearly stated that it made an attempt to avoid unnecessary obstacles to the current internet users’ experience: it will now be very important to assess how the new rules will be implemented in practice (there are some parts that will need to be further clarified).

All operators will have a grace period of 12 months to adapt to the new rules. And they better do so, as any failure to comply with the regulations on profiling and cookies may entail substantial fines.